sectoprat | 1a34c9b4500cf7859c36c102209902202fb7188aca1ba759f2d5018bf2655cc1

Analysis

max time kernel
196s
max time network
203s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/03/2025, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lancaster.zip
Size

7.5MB
MD5

aa29ff8dcbfb8156eba033e28f03a04f
SHA1

1453014278c8891fce9685c0a6bd4d079a763c24
SHA256

1a34c9b4500cf7859c36c102209902202fb7188aca1ba759f2d5018bf2655cc1
SHA512

14a8efc38a3dd0215b5b9587c80740681e0464f075ee777389e9458411590cf3cdd3eb0a7ef328effea5ae0ddc6e6af20266ed88717743cd46b364e0736c3eef
SSDEEP

196608:GHSvJ6cIKoyGu1Rox8S3E06jJ/lSeZ/zr1mzScXNwG6qyOmcwzr+o:GHSAzTZu1RoxhL6hhpzQS4Sbqxm1N

Score

10^/10

sectoprat credential_access discovery rat spyware stealer trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3896-16-0x0000000000770000-0x0000000000844000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2688	chrome.exe
4292	chrome.exe
4004	chrome.exe
2412	msedge.exe
2300	msedge.exe
3088	chrome.exe
3936	chrome.exe
1112	msedge.exe
1940	msedge.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 4540	3496	zkwindow.exe	97
PID 4540 set thread context of 3896	4540	cmd.exe	100

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zkwindow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3496	zkwindow.exe
3496	zkwindow.exe
4540	cmd.exe
4540	cmd.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
2688	chrome.exe
2688	chrome.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
3768	msedge.exe
3768	msedge.exe
2412	msedge.exe
2412	msedge.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe
3896	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3496	zkwindow.exe
4540	cmd.exe
4540	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	MSBuild.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3896	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4540	3496	zkwindow.exe	97
PID 3496 wrote to memory of 4540	3496	zkwindow.exe	97
PID 3496 wrote to memory of 4540	3496	zkwindow.exe	97
PID 3496 wrote to memory of 4540	3496	zkwindow.exe	97
PID 4540 wrote to memory of 3896	4540	cmd.exe	100
PID 4540 wrote to memory of 3896	4540	cmd.exe	100
PID 4540 wrote to memory of 3896	4540	cmd.exe	100
PID 4540 wrote to memory of 3896	4540	cmd.exe	100
PID 4540 wrote to memory of 3896	4540	cmd.exe	100
PID 3896 wrote to memory of 2688	3896	MSBuild.exe	102
PID 3896 wrote to memory of 2688	3896	MSBuild.exe	102
PID 2688 wrote to memory of 1572	2688	chrome.exe	103
PID 2688 wrote to memory of 1572	2688	chrome.exe	103
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 792	2688	chrome.exe	104
PID 2688 wrote to memory of 1480	2688	chrome.exe	105
PID 2688 wrote to memory of 1480	2688	chrome.exe	105
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106
PID 2688 wrote to memory of 3396	2688	chrome.exe	106

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Lancaster.zip
1⤵
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3604

C:\Users\Admin\Documents\Lancaster\version_21\zkwindow.exe
"C:\Users\Admin\Documents\Lancaster\version_21\zkwindow.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8322 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff9aadccc40,0x7ff9aadccc4c,0x7ff9aadccc58
        5⤵
        
        PID:1572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2100,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2088 /prefetch:2
        5⤵
        
        PID:792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2084 /prefetch:3
        5⤵
        
        PID:1480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2228 /prefetch:8
        5⤵
        
        PID:3396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3252 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3424 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4560 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:3936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4308,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4528 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4216 /prefetch:8
        5⤵
        
        PID:2800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5056 /prefetch:8
        5⤵
        
        PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8105 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:2412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9a5f346f8,0x7ff9a5f34708,0x7ff9a5f34718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        5⤵
        
        PID:4908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
        5⤵
        
        PID:1732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
470eb63cd3bb53bd0d8fa7b755ec63b3

SHA1
9990a6ff861d1fd97f9825e5245ef6f2b8e11b67

SHA256
28133b691344d14e0c90a3150019d820202047f81cd5824c264590d774fb4968

SHA512
bce5ba8fc484a4227436bbbcfe648846db3846a0befc1a708febf7911ccb02ea9af0cb6520c9a31370836baf2874506fdfb676e812e811f2cfa8d016f9e1ad81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c787930d470d0be053d565378051623e

SHA1
28e41641d6c01ee6eac6d8da2b1bbcdf846bbaf0

SHA256
a80de15c02d30a203b3ed152d11995318fe79a4eb99fa6de1f5600ad6623248f

SHA512
9736fc38006a0e8bf29a1c87c251afa1d47dfbadefbc16e844c15d626dc7d0aad622e3bd0925f3abe745a312914a3e9db2026439cbbd2a752589d1f3499aeb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\78b6a9b6-aa1e-4158-8639-c3ee30d7f2f9.tmp

Filesize
25KB

MD5
0cd39cdccc8f3b3939648da828389f22

SHA1
ff3211bd0be85614f15c3a0ad377018d56ede494

SHA256
efdce0e430392d46ab498257a982b91e835616d0f8bfcac0616b422706f6c915

SHA512
d717fb61e5eb0702772b7379a405461f6716f68e12e31127a6d54482c6f545951424a06c6d54fda79685fa4144a692c7deb63795d775efd5a9f571b986685339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
57eb58a1673036c458fd0e8a3cc0aeb5

SHA1
a38804b1cbd46df440fc8ab2acade50cbfc9d252

SHA256
12a74bc4e5f2d660645a6495f3b19e708aa3798cc08ff4bad6d712f37d655195

SHA512
825f858e933f14ff67e6a804a7eff08f490fbbeb9a6ad369f66a90adec268ba6070d57e5702afcd29d1b8dfd56a679e719ae878ca866e2dc758b57d6a7f9b749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
7636724d8b2102f0a75a6097a61064d9

SHA1
8cc7f171c59533c3cff01c2caa16f34923f0f008

SHA256
851e05cafd8d54dcace48ee02d74ceda02042a053b3befaf2f8c9f466d28c5aa

SHA512
3b339bc4dc52f576207265341a415e5dfa9f770b1b5e4e105b10a8c69e05505e3e4e2d56468c5ca682ea2723e8b1866a1a78595149ee59b219bd620b9509175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e7c2ee2

Filesize
1.5MB

MD5
44bc12e104f0c7ff320947dd3afd631d

SHA1
de0bb513c6ff111dac8058abe30cc67e9add93c9

SHA256
3437ccd518af59f2181e1b9ce445521314f6fbe1094ac38b62a49cc1b04729c9

SHA512
40d7f52a2780d7e7f86b3fd9eab32d30d1cad192ceb1f268b11056a244e1d6958b7c13ac282839dbb566b1cb5e7d6631cb3d9d778b9703627d6c1f550bf6757f

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\background.js

Filesize
596B

MD5
aa0e77ec6b92f58452bb5577b9980e6f

SHA1
237872f2b0c90e8cbe61eaa0e2919d6578cacd3f

SHA256
aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde

SHA512
37366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\content.js

Filesize
1KB

MD5
b99e276fef10819d079bc384a542e551

SHA1
aa944e07cc4067c74ab3463eee6ef6ea2404cc5e

SHA256
6851b8fe5bc61870c4097702858853f4a25332e4b813dfc9932ee0ca7d77f691

SHA512
22db1c84cc67ea221d298a14508c9f36265e6ac2c14fd29d30df3c43fbfb6ba80c9c587bd3a00e6662069096bc03bf6077186162a4a010d9f64d76aa1ea96e11

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\icon.png

Filesize
5KB

MD5
2c905a6e4a21a3fa14adc1d99b7cbc03

SHA1
bd8682b580d951e3df05dfd467abba6b87bb43d9

SHA256
cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb

SHA512
753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\jquery.js

Filesize
93KB

MD5
3c9137d88a00b1ae0b41ff6a70571615

SHA1
1797d73e9da4287351f6fbec1b183c19be217c2a

SHA256
24262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1

SHA512
31730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae

Download Submit
C:\Users\Admin\AppData\Local\nimdA\llg\manifest.json

Filesize
569B

MD5
2835dd0a0aef8405d47ab7f73d82eaa5

SHA1
851ea2b4f89fc06f6a4cd458840dd5c660a3b76c

SHA256
2aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3

SHA512
490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc

Download Submit
memory/3496-6-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/3496-5-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/3496-4-0x0000000074723000-0x0000000074725000-memory.dmp

Filesize
8KB

Download
memory/3496-3-0x00007FF9C91D0000-0x00007FF9C93C8000-memory.dmp

Filesize
2.0MB

Download
memory/3496-2-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/3496-0-0x0000000000A20000-0x0000000000ABE000-memory.dmp

Filesize
632KB

Download
memory/3496-1-0x0000000000AC0000-0x0000000000CFD000-memory.dmp

Filesize
2.2MB

Download
memory/3896-21-0x0000000005400000-0x0000000005476000-memory.dmp

Filesize
472KB

Download
memory/3896-33-0x0000000004E70000-0x0000000004E82000-memory.dmp

Filesize
72KB

Download
memory/3896-34-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/3896-29-0x0000000008300000-0x000000000830A000-memory.dmp

Filesize
40KB

Download
memory/3896-24-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3896-23-0x00000000054D0000-0x00000000054EE000-memory.dmp

Filesize
120KB

Download
memory/3896-22-0x0000000005FF0000-0x000000000651C000-memory.dmp

Filesize
5.2MB

Download
memory/3896-20-0x0000000005130000-0x00000000052F2000-memory.dmp

Filesize
1.8MB

Download
memory/3896-19-0x0000000004DC0000-0x0000000004E10000-memory.dmp

Filesize
320KB

Download
memory/3896-18-0x0000000005510000-0x0000000005AB6000-memory.dmp

Filesize
5.6MB

Download
memory/3896-17-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/3896-16-0x0000000000770000-0x0000000000844000-memory.dmp

Filesize
848KB

Download
memory/3896-13-0x0000000072B90000-0x0000000073DE3000-memory.dmp

Filesize
18.3MB

Download
memory/4540-11-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/4540-9-0x00007FF9C91D0000-0x00007FF9C93C8000-memory.dmp

Filesize
2.0MB

Download